sna/damage: Guard against integer overflow before malloc

Check that the multiplication to compute the allocation will not overflow. Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
author: Chris Wilson <chris@chris-wilson.co.uk> 2013-11-15 21:20:30 +0000
committer: Chris Wilson <chris@chris-wilson.co.uk> 2013-11-15 21:20:30 +0000
commit: 52612185c60605542beb3745a2500ed65a8ffff0 (patch)
tree: 154306008c99361e0e99dad7debab4dc27c73df4 /src/sna/sna_damage.c
parent: 95c3892dd3911ba44ae3170573de1153857b15a8 (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/src/sna/sna_damage.c b/src/sna/sna_damage.c
index 5730a25d..fb161b58 100644
--- a/src/sna/sna_damage.c
+++ b/src/sna/sna_damage.c
@@ -206,6 +206,9 @@ static bool _sna_damage_create_boxes(struct sna_damage *damage,
 
 	DBG(("    %s(%d->%d): new\n", __FUNCTION__, count, n));
 
+	if (n > (INT_MAX - sizeof(*box)) / sizeof(BoxRec))
+		return false;
+
 	box = malloc(sizeof(*box) + sizeof(BoxRec)*n);
 	if (box == NULL)
 		return false;
@@ -380,7 +383,7 @@ _sna_damage_create_elt_from_points(struct sna_damage *damage,
 
 	DBG(("    %s(): new elt\n", __FUNCTION__));
 
-	if (! _sna_damage_create_boxes(damage, count))
+	if (!_sna_damage_create_boxes(damage, count))
 		return damage;
 
 	for (i = 0; i < count; i++) {
author	Chris Wilson <chris@chris-wilson.co.uk>	2013-11-15 21:20:30 +0000
committer	Chris Wilson <chris@chris-wilson.co.uk>	2013-11-15 21:20:30 +0000
commit	52612185c60605542beb3745a2500ed65a8ffff0 (patch)
tree	154306008c99361e0e99dad7debab4dc27c73df4 /src/sna/sna_damage.c
parent	95c3892dd3911ba44ae3170573de1153857b15a8 (diff)